Whilst for most realms it does consider if an identity exists, for realms such as JAAS and possibly custom realms we may not know if an identity exists so this could be used as a way to OOM the server.

We will add a configuration options and set our default starting size to 1,000
We will ensure the eviction strategy also considers access so identities being regularly accessed will not be pushed to the bottom of the list.